CVE-2026-2265

Description

An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.

PUBLISHED Reserved 2026-02-09 | Published 2026-04-01 | Updated 2026-04-01 | Assigner certcc

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

References

github.com/inikulin/replicator

github.com/inikulin/replicator/pull/19

morielharush.github.io/...deserialization-of-untrusted-data/

cve.org (CVE-2026-2265)

nvd.nist.gov (CVE-2026-2265)

Download JSON